The Hacker News — Cyber Security, Hacking, Technology News

A severe security vulnerability has been discovered in the CloudFlare content delivery network that has caused big-name websites to expose private session keys and other sensitive data.

CloudFlare, a content delivery network (CDN) and web security provider that helps optimize safety and performance of over 5.5 Million websites on the Internet, is warning its customers of the critical bug that could have exposed a range of sensitive information, including passwords, and cookies and tokens used to authenticate users.

Dubbed Cloudbleed, the nasty flaw is named after the Heartbleed bug that was discovered in 2014, but believed to be worse than Heartbleed.

The vulnerability is so severe that it not only affects websites on the CloudFlare network but affects mobile apps as well.

What exactly is "Cloudbleed," how it works, how are you affected by this bug, and how you can protect yourself? Let's figure it out.

What is Cloudbleed?

Discovered by Google Project Zero security researcher Tavis Ormandy over a week ago, Cloudbleed is a major flaw in the Cloudflare Internet infrastructure service that causes the leakage of private session keys and other sensitive information across websites hosted behind Cloudflare.

CloudFlare acts as a proxy between the user and web server, which caches content for websites that sits behind its global network and lowers the number of requests to the original host server by parsing content through Cloudflare’s edge servers for optimization and security.

Almost a week ago, Ormandy discovered a buffer overflow issue with Cloudflare's edge servers that were running past the end of a buffer and were returning memory containing private data like HTTP cookies, authentication tokens, and HTTP POST bodies, with some of the leaked data already cached by search engines.

But the company was not checking if the obfuscation parsers returned a negative value because of malicious HTML.

The Cloudflare's "ScrapeShield" feature parses and obfuscates HTML, but since reverse proxies are shared among customers, it would affect all CloudFlare customers.

Ormandy contacted Cloudflare and reported it about his findings. The company identified the cause of the issue, and immediately disabled 3 minor Cloudflare features — Email obfuscation, Server-side Excludes, as well as Automatic HTTPS Rewrites — that were using the same HTML parser chain, which was causing the leakage.

Ormandy observed encryption keys, passwords, cookies, chunks of POST data, and HTTPS requests for the other leading Cloudflare-hosted websites from other users and immediately contacted Cloudflare.

Since CloudFlare patched the issue but did not notify customers by Wednesday of the data leak issue, Ormandy made public his findings on Thursday, following Project Zero's seven-day policy for actively exploited attacks.

Following Ormandy's public disclosure of the vulnerability on Thursday, CloudFlare confirmed the flaw, ensuring its customers that their SSL private keys were not leaked.

"Cloudflare has always terminated SSL connections through an isolated instance of NGINX that was not affected by this bug," Cloudflare CTO John Graham-Cumming wrote in a blog post. "The bug was serious because the leaked memory could contain private information and because it had been cached by search engines."

"We are disclosing this problem now as we are satisfied that search engine caches have now been cleared of sensitive information," he added. "We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence."

The Root Cause of Cloudbleed:

The root cause of the Cloudbleed vulnerability was that "reaching the end of a buffer was checked using the equality operator and a pointer was able to step past the end of the buffer." "Had the check been done using >= instead of == jumping over the buffer end would have been caught," said Cumming.

Cloudflare has also confirmed that the greatest period of impact was between February 13 and February 18 with almost one in every 3,300,000 HTTP requests via Cloudflare potentially resulting in memory leakage, which is about 0.00003% of requests.

However, the researcher argued that the DNS provider was double-dealing, claiming that the Cloudbleed vulnerability had existed for months, based on Google's cached data.

How Does Cloudbleed Affect You?

There are a large number of Cloudflare's services and websites that use parsing HTML pages and modify them through the Cloudflare's edge servers.

Even if you do not use CloudFlare directly, that does not mean that you are spared. There is always a chance that websites you visit and web services you use may have been affected, leaking your data as well.

Of course, if you are using Cloudflare services in front of your site, the flaw could impact you, exposing sensitive information that flowed between your servers and end-users through CloudFlare's proxies.

While CloudFlare's service was rapidly patched the bug and has said the actual impact is relatively minor, data was leaking constantly before this — for months.

Some of this leaked data were publicly cached in search engines such as Google, Bing, Yahoo, who now removed it, but some engines like DuckDuckGo still host those data.

Also, other leaked data might exist in other services and caches throughout the Web, which is impossible to delete across all of these locations.

Cloudbleed Also Affects Mobile Apps

Cloudbleed also affects mobile apps, because, in many cases, the apps are designed to make use of the same backends as browsers for content delivery and HTTPS (SSL/TLS) termination.

Users on YCombinator have confirmed the presence of HTTP header data for apps like Discord, FitBit, and Uber by searching through DuckDuckGo caches with targeted search terms.

In an analysis conducted by NowSecure, the researchers have discovered some 200 iOS apps that identified as using Cloudflare services from a sampling of some 3,500 of the most popular apps on the app store.

There is always a possibility of someone discovering this vulnerability before Tavis, and may have been actively exploiting it, although there is no evidence to support this theory.

Some of the Cloudflare's major customers affected by the vulnerability included Uber, 1Password, FitBit, and OKCupid. However, in a blog post published by 1Password, the company assured its users that no sensitive data was exposed because the service was encrypted in transit.

However, a list of websites that have potentially been impacted by this bug has been published by a user, who go by the name of 'pirate,' on GitHub, which also included CoinBase, 4Chan, BitPay, DigitalOcean, Medium, ProductHunt, Transferwise, The Pirate Bay, Extra Torrent, BitDefender, Pastebin, Zoho, Feedly, Ashley Madison, Bleeping Computer, The Register, and many more.

Since CloudFlare does not yet provide the list of affected services, bear in mind that this is not a comprehensive list.

What should You do about the Cloudbleed bug?

Online users are strongly recommended to reset their passwords for all accounts in case you have reused the same passwords on every site, as well as monitor account activity closely as cleanup is underway.

Moreover, customers who are using Cloudflare for their websites are advised to force a password change for all of their users.

Update: Uber representative reached out to me via an email and said their investigation revealed that the CloudBleed bug exposed no passwords of their customers. Here's the statement provided by Uber:

"Very little Uber traffic actually goes through Cloudflare, so only a handful of tokens were involved and have since been changed. Passwords were not exposed."

Meanwhile, DuckDuckGo spokesperson also reached out to The Hacker News and said the search engine has removed the leaked data from DuckDuckGo.

After almost two months of untimely and unexpected outage, The Pirate Bay (TPB) finally came back this weekend. But the re-launch of the infamous torrent-indexing website raised a question among those suspicious about this new setup — Is it really The Pirate Bay?

A few days back we reported that The Pirate Bay – a widely popular file-sharing website predominantly used to share copyrighted material free of charge – had made its return to the Internet once again after suffering two months of outage following a police raid in Sweden late last year.

Many users, including I, thought the site left dead as last took down was the longest outage the torrenting site has ever experienced. But history repeats and The Pirate Bay made its way a day before it claimed. Pirate lovers around the world rejoiced while others noticed something very suspicious.

IS THE FBI RUNNING THE PIRATE BAY ?

The truth behind The Pirate Bay, like who was driving the re-emergence of the site or who would be currently running the site, is all not known.

But because it was seized and took down the law enforcement, The Pirate Bay could now be in the hands of the FBI, and brought back online as a "honeypot", or fake site meant to collect evidence about users, including pirated content uploaders.

This is what some Reddit and Twitter users thought about the re-launch of the torrent download site. The comments on Reddit and a tweet by an Anonymous sect called The Anonymous Message also points to a federal honeypot masquerading as The Pirate Bay to catch pirates.

WHAT POINTS TO FBI ?

"ALERT: STAY AWAY from The Pirate Bay website as we-have gotten reports That It has-been Indirectly Seized by the FBI and is logging IPs," The Anonymous Message tweeted Sunday, but didn't provide any proof of the FBI involvement in The Pirate Bay.

However, the major concern people thought to have is The Pirate Bay’s use of CloudFlare’s CDN (Content Delivery Network) and its SSL service. CloudFlare is a content delivery network that is used by websites with high amounts of traffic in order to protect sites from DDoS attacks and was discovered on the new Pirate Bay upon its return.

Several people voiced concerns that The Pirate Bay, CDN Cloudflare uses in the United States and therefore speculated about a connection to the FBI.

To add more confusion, and create conspiracy, the admin also noted that he had fired all the moderators working for the site, reported Torrentfreak. "Due to severe security issues regarding the old moderator team all moderation has temporarily been disabled," the admin wrote.

THE PIRATE BAY RESPONDED – TPB IS REAL

Today, The Pirate Bay has responded to the concerns about its use of U.S.-based CDN service CloudFlare, explaining that it’s only using Cloudflare temporarily in order to cope with the continued stream of millions of visitors.

"We have seen that there has been some question to why we are using Cloudflare," TPB says in a statement. "This is only initially to handle the massive load upon the servers. It will be removed shortly."

The second concern was the lack of moderation on TPB. As soon as The Pirate Bay returned, many fake torrents have been posted to the site and without moderators these were not removed. However, TPB operators now explain that the decision to keep the staff out was taken as a security measure.

In order to deal with the spam and fake torrent problem TPB added a report link to every torrent details page. "Before we sort everything out we have instead added a 'Report link' to all torrents which you can find in the details page," the admin wrote. "We believe that the TPB community can help moderate the site for the time being."